Transcription

1 Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with applicable regulations and protect electronic data. II. SCOPE The students, faculty, staff, guests, and external individuals or organizations that use computing and communications resources and/or equipment owned, leased, or rented by Central Texas College District (CTCD). III. ROLES AND RESPONSIBILITIES The CTCD community is responsible for protecting information and information resources. The level of responsibility depends on the role of the employee. A. Users A user is anyone who uses CTCD computing resources and or equipment. Users are responsible for: reading, understanding, and complying with this policy; the management and protection of both computerized and non-computerized information; and protecting and caring for information technology devices that have been assigned to them to perform the duties of their respective positions. The consequences of not doing so are detailed in Sections III.C and V.B of this policy. 1. User-Level Security a. CTCD users will adhere to the provisions of HR Policy 295, Computer Usage. Questions regarding appropriate computer and network usage should be directed to the user s supervisor or Human Resources. b. Users will not share, write down, or send passwords via . c. CTCD provides open access to an unencrypted student/guest wireless network. Users must agree to the Terms of Use before access is granted to the wireless network. Wireless access points not authorized or managed by the IT Division are not permitted and will be shut down upon discovery by IT.

2 d. Users utilizing the CTCD student/guest wireless network do so at their own risk. CTCD is not responsible for privately owned systems (e.g., laptops and mobile devices). Users are encouraged to transmit sensitive data only when strong encryption is available. e. CTCD is not responsible for any illegal content that is received, transmitted, or stored by users. f. Users should not use systems or software that are not approved by the IT Division. g. Users gaining access to CTCD computing resources via a virtual private network (VPN), the wireless network, or Outlook Web Access (OWA) are responsible for ensuring their systems are free of malware. h. Users will follow the rules posted in computer labs. If computer usage rules are not available in the lab, users will follow local, state, and federal laws, or obey the computer and Internet usage laws of the applicable host country. Users will log off systems when they are finished. i. Users will exercise caution when opening and browsing the Internet. Users will not open unexpected or suspicious attachments. j. Users are responsible for the security, usage, and outcome of any computer system or network device they attach to the network. k. Users will immediately report any suspected or known information security compromises to the IT Help Desk. 2. Computer Accounts a. Users will use strong passwords that are changed on a recurring basis, not exceeding 42 days. b. Users are responsible for all activities (i.e., their activities or another person s activities) associated with any computer account assigned to them. c. Users will only use computer accounts that have been created for them. d. Users will immediately report any suspected unauthorized use of their account(s) to the IT Help Desk. 3. Individually Assigned Computing Resources Users will log off of their workstation at the end of the day and leave their computer(s) powered on to accept updates that are distributed overnight via the CTCD data communications network.

3 4. Computer Security Incident B. Managers Users are to immediately report suspected computer security incidents (e.g., hacking) to the IT Help Desk. Managers are users who supervise other users. Managers are responsible for the following items: 1. Ensuring that the users they supervise have access to the information needed to perform their respective jobs. 2. Requesting information access for their appointed users from the appropriate data steward(s) (see section III, item C). 3. Periodically reviewing the level and/or extent of access for their appointed users, and requesting removal of access for their users when employment is terminated. 4. Ensuring that any specific information security policies and procedures they establish for the users they supervise are consistent with this policy, as well as with other CTCD policies and laws. 5. Administrative units will stay abreast of software updates for their departmental and/or workgroup applications. Installation assistance will be sought from the IT Division. 6. Administrative units are required to provide the IT Division with a copy of the new or unique software being used by their department and/or workgroup. This copy will be stored in the IT Division s software library. C. Data Stewards Data stewards are users who own, manage, and grant access to data. Data stewards consist primarily of Division directors, deans, and Datatel Colleague functional custodians (i.e., users that oversee an entire Colleague module, such as the Colleague Financials, or a functional subset, such as Accounts Payable). Data stewards are responsible for the following: 1. Classifying and labeling the information for which they are responsible (see section IV). 2. Determining which users are authorized to have access to their data. 3. Directing the Information Technology Division to grant or remove access for their authorized users.

4 4. Informing their users of the classification of data they can access and the rules that correspond with protecting Class 2 or Class 3 information from unauthorized access or usage. 5. Collaborating with the Information Technology Division to establish specific information security policies and procedures for the information resources they manage. Such policies and procedures must be consistent with this policy, other CTCD policies, and the law. 6. Protecting their data and exercising discretion concerning access, usage, and dissemination. IV. CLASSIFYING, STORING, AND TRANSMITTING DATA A. Classes of Data Data stewards should classify their information into one of the three classes listed below and declare who is authorized to access and disseminate that data. The three classes of data are as follows: 1. Class 1 - Public information. Information made available either to the public or to specific individuals who need it with few, if any, restrictions. The published class schedule is an example of Class 1 data. 2. Class 2 - Information with limited distribution. The loss, corruption, or unauthorized disclosure of this information would not affect the operational effectiveness of CTCD. A document detailing a fund-raising strategy is an example of Class 2 data. 3. Class 3 - Private information. Information that is confidential and protected from external access and unauthorized internal access. Loss, corruption, or unauthorized disclosure of this information would impair the business or research functions of CTCD; result in business, financial, or legal loss; or be a violation of federal or state laws/regulations or CTCD contracts. Data integrity is vital. An example of private information would be a student s academic record. B. Storing and Transmitting Data 1. Class 3 information should not be stored on users workstations. 2. Class 3 information, such as social security numbers, passwords, and other potentially name-linked data, should never be transmitted unless it is encrypted using IT approved encryption. For questions about encryption, contact the IT Help Desk.

5 V. User Security Violations User violations include, but are not limited to, the following: 1. Interfering with the operation of anti-virus/malware detection software installed by the IT Division or willfully introducing computer malware into the CTCD network. 2. Generating malicious or illegal traffic and/or attempting to gain unauthorized access to sensitive or personal data belonging to CTCD or other entities or executing port scans, security scans, or any form of network monitoring that intercepts data not intended for you. 3. Examining, copying, modifying, or deleting data or electronic mail belonging to other users without their prior consent or proper authorization. 4. Using CTCD computer systems and/or networks to gain unauthorized access to remote systems. 5. Attempting to obtain unauthorized access to or interfering with the operation of network systems or programs. 6. Intentionally operating any network-intensive application that overloads the network. 7. Performing any unauthorized action that damages or disrupts a computing system, alters its normal performance, or causes it to malfunction. 8. Forging or attempting to forge electronic mail messages or header information. 9. Making illegal copies of software licensed to CTCD. 10. Using CTCD-owned computer accounts, computer equipment, communications equipment, software, or networks for commercial or nonwork related purposes. 11. Modifying configuration options or installing software that may cause increased security vulnerabilities. (e.g., Remotely accessing a CTCD-owned computer in a way that bypasses existing security measures.) 12. Interfering with the ability of other users to utilized shared computing resources. (e.g., deliberately deleting data from shared resources, moving shared files or folders without permission, or storing inappropriate material on shared drives or folders.)

6 13. Offering server-class services from your workstation or other device without prior approval from the Information Technology Division. 14. Connecting any wireless access device to the campus network without prior approval from the Information Technology Division. 15. Attempting to decrypt passwords or other encrypted information. 16. Attempting to secure a higher level of privilege on network systems or attempting to subvert the restrictions associated with your account(s) and/or software. 17. Revealing your account password to others, except for the purpose of technical support by Information Technology Division personnel or allowing use of your account by others such as family and other household members. A. Privacy And Confidentiality 1. Information Handling You are responsible for knowing the privacy and confidentiality restrictions associated with any information to which you have access. You agree to safeguard information that is classified Class 2 or Class 3. Such safeguards include, but are not limited to, the following: a. Storage of Information i. Users will store Class 2 and Class 3 information on secure network drives provided by the Information Technology Division. ii. Users will not take Class 2 or Class 3 information outside of CTCD unless it can be assured adequate protection and is stored in an encrypted format. b. Distribution and Transmission of Information i. Users will not distribute or make Class 2 or Class 3 information available to persons who are not authorized to access the information. ii. Users will appropriately protect Class 2 or Class 3 information that is transmitted electronically, physically, or spoken in conversation from unauthorized interception. c. Destruction and Disposal of Information and Devices

7 i. Class 2 or Class 3 documents will not be placed in recycling bins or trash cans. All such documents will be cross-shredded when discarded. ii. Users will ensure that Class 2 or Class 3 data is rendered unreadable when disposing of computers or removable media. 2. Electronic Communications and Data a. CTCD does not routinely intercept or monitor electronic mail, other electronic communications, or other data stored in electronic format. Capture and/or "reading" of electronic communications and/or other data stored in electronic format by technical staff or others is expressly prohibited, except under the following circumstances: i. To resolve technical or delivery problems. ii. iii. iv. To prevent illegal, unauthorized, or inappropriate use. To meet externally imposed legal requirements. In the course of an internal or external investigation. v. To protect health and safety. vi. To prevent interference with the mission of CTCD. vii. To locate information required for CTCD business that is not readily available elsewhere. b. CTCD reserves the right to disclose the contents of our electronic communications, or other data stored in electronic format, without permission of the user. c. Users agree that electronic mail, electronic communications, or data stored in electronic format with the use of CTCD resources may be made available for review by any authorized CTCD official for purposes related to CTCD business. d. User correspondence in the form of electronic mail may be subject to public inspection as a public record under the Open Records Act. e. The Family Educational Rights and Privacy Act (FERPA) of 1974 protects students against the release of some information. Electronic correspondence may become a student record under FERPA and may be

8 available to disclosure under that act. All use of electronic mail, including use for sensitive or confidential information, will be consistent with FERPA. 3. Confidential Data Users agree to comply with the following: a. FERPA. If your account gives you access to student data, you must comply with all FERPA regulations regarding disclosure of student information. b. The laws of the State of Texas, the United States, and other regulatory agencies. This includes all applicable federal and state laws that govern the privacy and confidentiality of data, including, but not limited to, the Electronic Communications Privacy Act of 1986, the Health Insurance Information Portability and Accountability Act (HIPAA), the Foreign Corruptions Practice Act, the Gramm-Leach-Bliley Act, and the Computer Fraud and Abuse Act. c. All CTCD policies and handbooks. B. Consequences Of Policy Violations 1. Failure to comply with the IT Security Policy or related policies will be reported to the CTCD Human Resources Department. 2. Violations of local, state, federal, or other laws will be reported to the appropriate, respective authorities. 3. The Information Technology Division may revoke a user s account at any time if computing privileges are abused. This revocation may be temporary, if such action is deemed necessary for the successful management and operation of the facilities, or permanent through the normal CTCD disciplinary process. 4. Failing to maintain a secure system, or any violation of HR Policy 295, Computer Usage, may result in immediate loss of network connectivity and account lockout. 5. Systems that appear to be infected or compromised will be immediately disconnected from the CTCD network until the system is scanned and cleared for use. IT Division staff will attempt to notify the user when his/her system is taken offline. 6. Any individual found violating this policy to include; misusing data, divulging confidential data, or otherwise violating these guidelines will be subject to disciplinary action in accordance with the Human Resources Management

9 Policies and Procedures Manual up to and including termination of employment with CTCD. Any known violations of these guidelines must be reported to a supervisor or Human Resources. VI. EXCEPTION TO POLICY Individuals or departments seeking exception to this policy will do so in writing from the appropriate data steward (i.e. the Director of Student Services) or IT Division.

Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment

Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not

Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

COMPUTER USE IN INSTRUCTION 4526 The Board of Education is committed to optimizing student learning and teaching. The Board considers student access to a computer network, including the Internet, to be

The UMB School of Nursing follows and adheres to the UMB Campus Information Technology Acceptable Use Policy. The UMSON further defines Authorized User to also include any person who receives a password

I. Introduction Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014 Ohio Wesleyan University (OWU) provides computing resources to support the educational mission and administration

Caldwell Community College and Technical Institute Employee Computer Usage Policies and Procedures I. PURPOSE: The purpose of this section is to define the policies and procedures for using the administrative

Page 1 of 8 I. PURPOSE To outline the University's policies for students, faculty, staff and others, concerning the use of the University's computing and communication resources, including those dealing

4526 COMPUTER NETWORK FOR EDUCATION The Southern Westchester Board of Cooperative Educational Services (BOCES) considers student access to a computer network, including the Internet, to be a powerful and

I. Introduction POLICY 371 COLLEGE COMPUTER USE AND DATA SECURITY POLICY POLICY 371 Page 1 The College provides access to technology hardware, software, Internet, and network accounts in support of the

HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

PAGE 1 of 5 PURPOSE Triton College s computer and information network is a continually growing and changing resource supporting thousands of users and systems. These resources are vital for the fulfillment

Bates Technical College Information Technology Acceptable Use Policy Consistent with policy adopted by the Board of Trustees, Bates Technical College, hereinafter referred to as the College, has a commitment

Information Security: Roles, Responsibilities, and Data Classification Technology Services 1/4/2013 Roles, Responsibilities, and Data Classification The purpose of this session is to: Establish that all

Sample Policies for Internet Use, Email and Computer Screensavers In many of its financial management reviews, the Technical Assistance Section has encouraged municipalities to develop and adopt policies

1.0 Overview Keuka College provides access to modern information technology in support of its mission to promote excellence and achievement across its mission areas of instruction, research, and service.

Responsible Use of Technology and Information Resources Introduction: The policies and guidelines outlined in this document apply to the entire Wagner College community: students, faculty, staff, alumni

1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines

POLICY 4526 COMPUTER NETWORK FOR EDUCATION The Board of Education is committed to optimizing student learning and teaching. The Board considers student access to a computer network, including the Internet,

Use of ESF Computing and Network Resources Introduction: The electronic resources of the State University of New York College of Environmental Science and Forestry (ESF) are powerful tools, shared among

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information

REGION 19 HEAD START Acceptable Use Policy 1.0 Overview Research, Evaluation, Assessment and Information Systems (R.E.A.I.S.) intentions for publishing an Acceptable Use Policy are not to impose restrictions

Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any

COMPUTER NETWORK FOR EDUCATION REGULATION 4526-R The following rules and regulations govern the use of the district's computer network system and access to the Internet. I. Administration The Superintendent

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

About this Tool Information Security for Residents... Purpose: Provide materials to inform and educate Residents in order to reach compliance regarding information security. Audience: New Residents Information

Acceptable Use of Information Technology Policy Bergen Community College reserves the right to monitor its information technology resources and telecommunications network to protect the integrity of its

July 21, 2015 MEMORANDUM To: From Subject: All Users of DCRI Computing Equipment and Network Resources Eric Peterson, MD, MPH, Director, DCRI Secure System Usage The purpose of this memorandum is to inform

AP 417 Information and Communication Services Background Access and use of information and communication services (ICS) are an integral component of the learning and working environment. The ability for

MARIN COUNTY OFFICE OF EDUCATION EDUCATIONAL INTERNET ACCOUNT Acceptable Use Agreement TERMS AND CONDITIONS Please read the following carefully before signing this document. INTERNET access is coordinated

PAGE 1 of 6 UNIVERSITY GUIDEBOOK Title of Policy: Acceptable Use of University Technology Resources Responsible Division/Office: Information Technology Approving Officer: Vice President for Finance and

HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,

- 1 BLOOMFIELD COLLEGE ACCEPTABLE USE POLICY Summary of Acceptable Use Policy Bloomfield College provides technology resources to the College Community, including students, faculty, administration, alumni,

RESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006) on-line at www.ccc.edu I. INTRODUCTION All users shall abide by the following provisions contained herein, or otherwise may be subject to disciplinary

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine

ANNUAL SECURITY RESPONSIBILITY REVIEW For Faculty and Staff Who Use Computers Minimally in their work May 2012 Training Topics What is Information Security? Review Security Vulnerabilities Phishing email

ROBINSON INDEPENDENT SCHOOL DISTRICT ACCEPTABLE USE POLICY (AUP) The Superintendent or designee will oversee the District's electronic communications system. The District's system will be used only for

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau

PS177 Remote Working Policy January 2014 Version 2.0 Statement of Legislative Compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data Protection